Supply Chain Under Siege: The @antv npm Incident
The recent compromise of the @antv npm package ecosystem highlights a new era in software supply chain attacks. A threat actor gained access to a maintainer account and published malicious versions of widely used data-visualization libraries. These packages, embedded in thousands of applications, triggered a cascading impact across the JavaScript ecosystem. The attack’s payload executes silently during npm install, targeting GitHub Actions environments specifically. At its core, this campaign demonstrates how attackers are now weaponizing trust mechanisms themselves—most notably through SLSA provenance forgery.
One of the most alarming aspects of this incident is not just the theft of credentials, but the deliberate effort to appear legitimate. By forging SLSA attestations, the malicious packages could bypass automated verification systems designed to ensure software integrity. This marks a shift from brute-force exploitation to stealthy subversion of trusted pipelines.
How SLSA Provenance Forgery Undermines Trust
SLSA (Supply chain Levels for Software Artifacts) is a framework designed to secure software supply chains by providing verifiable metadata about how a package was built. Provenance data includes details like the build environment, dependencies, and timestamps—all cryptographically signed to prevent tampering. The goal is to allow consumers to trust that a package was built exactly as claimed, with no hidden modifications.
However, the @antv attack included a capability to forge SLSA provenance data using Sigstore components like Fulcio and Rekor. This means the malicious payload could generate fake attestations that mimic legitimate builds, making it nearly impossible for automated systems to distinguish between genuine and compromised packages.
"Forges SLSA provenance attestations through Sigstore (Fulcio or Rekor) to appear legitimate"—this line from the technical analysis underscores a critical vulnerability: trust is only as strong as its weakest verification point. If attackers can replicate the signatures and metadata structures used by real builds, the entire attestation model becomes unreliable.
This is not merely theoretical. The forged provenance allowed the malicious packages to pass initial scrutiny in CI/CD pipelines that rely on attestation checks. Organizations assuming their build systems were protected by SLSA-level controls were unknowingly executing code injected by an adversary.
Attack Chain: From npm Install to Credential Exfiltration
The attack begins when developers run npm install on a project that depends—directly or transitively—on a compromised @antv package. The legitimate index.js file is replaced with a single-line obfuscated script. This script uses two layers of obfuscation:
- Layer 1: 1,732 Base64-encoded strings stored in a rotated array, decoded using a shuffle key (
0xa31de). - Layer 2: Critical strings (like C2 domains and environment variable names) encrypted with PBKDF2 and SHA-256, decrypted at runtime.
Once decoded, the payload performs environment gating—exiting immediately if not running on GitHub Actions on Linux. This ensures the malware only activates in high-value CI/CD environments.
Next, the payload escalates privileges by injecting a passwordless sudo rule via a bind mount:
It also modifies /etc/hosts for DNS redirection, enabling future attacks or data interception.
The malware then proceeds to steal credentials from multiple platforms:
| Platform | Method |
|---|---|
| GitHub | Extracts GITHUB_TOKEN, scans for PATs (gh[op]_), validates via /user API, enumerates repo and org secrets |
| AWS | Queries IMDS, ECS metadata, reads .aws/ files, harvests env vars, calls SecretsManager across all regions |
| HashiCorp Vault | Searches 12+ token paths, connects to local Vault at 127.0.0.1:8200 |
| npm | Validates tokens via /-/whoami, exchanges OIDC tokens for publish access |
| Kubernetes | Reads service account tokens, enumerates namespace secrets |
| 1Password | Interacts with CLI, attempts master password extraction with 2FA bypass |
Perhaps most insidious is the use of GitHub Action Runner process memory scraping. By scanning /proc for the Runner.Worker PID and extracting secrets directly from memory, the payload bypasses normal secret masking protections.
Propagation, Persistence, and Evasion Tactics
After initial compromise, the malware spreads laterally by enumerating accessible repositories and organizations:
Enumerates /user/repos and /user/orgs to spread into additional repositories
It installs the Bun runtime if not present and executes a second-stage payload:
Installs Bun runtime, executes second-stage payload using bun run .claude/
The payload also deploys a token monitor for ongoing credential capture:
Deploys token monitor for ongoing credential capture
Data exfiltration occurs through dual channels:
- Primary: HTTPS to an encrypted C2 domain (port 443) with DNS pre-check and health probe
- Fallback: Git Data API—creates blobs, trees, or commits in victim repositories on non-protected branches
A tertiary exfiltration method involves creating public repositories under victim accounts with a reversed description: “niagA oG eW ereH :duluH-iahS”.
Tertiary: Creates public repos under victim accounts with reversed description (“niagA oG eW ereH :duluH-iahS”); more than 2,200 of these repos have been observed as of this writing
The payload avoids protected branches like main, master, dependabot/, renovate/, and gh-pages to evade detection during Git-based exfiltration.
Response, Mitigation, and the Future of CI/CD Security
Upon discovery, GitHub acted swiftly:
GitHub acted immediately to limit further damage. It removed 640 malicious packages and invalidated 61,274 npm granular access tokens with write permissions and 2FA bypass, preventing leaked tokens from being used in this or similar attacks.
GitHub also published advisories in the GitHub Advisory Database and alerted users via Dependabot and npm audit. The company continues to monitor for additional affected packages.
Microsoft Defender recommends several mitigations:
- Review dependency trees for usage of affected @antv packages
- Pin known-good versions; avoid automatic upgrades
- Run
npm installwith--ignore-scriptsto disable pre- and post-install hooks - Rotate all potentially exposed credentials
Disable pre- and post-installation script execution by ensuring you run npm install with --ignore-scripts.
Even with GitHub’s token invalidation, Microsoft emphasizes proactive rotation:
Microsoft Defender still recommends rotating credentials, tokens, npm access tokens, CI/CD secrets, and cloud credentials that might have been exposed in affected build or developer environments.
Organizations should audit GitHub accounts for unexpected repositories with the telltale reversed description and revoke implicated tokens. CI/CD logs should be reviewed for suspicious outbound connections or script execution.
The incident confirms that remote CI/CD security jobs are now more critical than ever. As development environments shift toward distributed, cloud-native workflows, securing the pipeline from source to deployment is no longer optional. This event underscores the growing demand for remote jobs in software supply chain security 2026, particularly roles focused on attestation validation, CI/CD pipeline auditing, and automated threat detection.
For companies hiring in this space, expertise in SLSA, Sigstore, and npm supply chain integrity is becoming a baseline requirement. The attack proves that even widely trusted open-source projects are vulnerable—not just to code injection, but to trust forgery.
Related Opportunities
- Staff Engineer, AI Security and Product Security at Recursion
- remote AI security jobs: BadHost Vulnerability Explained